Complex Hacking - Computer Compromise
Every time I attend a "Security Guru's" meeting, I'm amazed by how much time and effort is spent on discussing complex hacking and computer compromise of computer networks and systems.
One person is going on about the latest "heap corruption" vulnerability and another is discussing man-in-the-middle techniques for compromising remote access systems.
Most of these vulnerabilities are very difficult to successfully exploit. Some of them require specific host platforms, special tools, in-depth knowledge of many programming languages, and a lot of luck.
I'm not saying there are not tons of vulnerabilities and exploits like these, it's just that they are not always easy to take advantage of, and therefore, may not present themselves as high risk events for most organizations.
It's The Little Things That Will Get You Every Time
During security assessments, there are times when I am able to successfully exploit a "technical" vulnerability to gain system or internal network access. For instance; during a recent assessment, I identified a web application server that appeared to be vulnerable to an IIS / ASP vulnerability that would allow an attacker to dump all .ASP code on the server. After some effort and a little C/C++ code, I was able to take advantage of this exploit. After perusing through the .ASP code on the server, I was able to gain important information that resulted in the comprise of an internal system.
However, the reality is - it is the simple things that are the biggest problem. Most times, internal network compromise is the result of one or more of the following:
- The installation of a web support application that has little to no security features to begin with;
- The installation of support software that has a well-known default password for the admin account. And, the person installing the software never bothers to change the password;
- Improperly configured communications devices such as routers and switches;
- Important, and sometimes critical documents left on web servers. Information that only internal or technical people should have access to;
- Poor password and authentication policy. Users using weak passwords to access accounts, especially remote access devices that are present on the Internet;
- Test servers that the have been forgotten about and are still present on the Internet;
- Poor network border architecture. For instance; installing a firewall and forgetting that there are other networks that need to be protected or should be placed behind the firewall.
The above is just a handful of "Little Things" that get overlooked and can result in the undoing of your network's security measures.
As an example: Many organizations provide their internal and external customers with a public FTP service. Most times, this is done to allow people to easily post "non-critical" or public information and share it with other associates.
Recently, I identified just such an FTP server. The server allowed anonymous logons, however it contained sub-directories that were secured. These secure directories were only accessible by the people who owned the account. It was obvious to me that I was not going to easily compromise these accounts. On the other hand, sitting right in the anonymous "root" directory was a .zip file that was rather large. I downloaded the file, which took quite a while, unzipped it on my desktop, and guess what it contained? It was a compressed file of the entire FTP server, including the secure directories.
I would bore you with what I found within these directories. The bottom line is, I should have never had access to the information they contained.
The bottom line is this; it really is the little things that will come back to haunt you when it comes to computer security. No system should ever be rushed into production. This is one of the most common causes for poorly secured systems. The team in charge of implementing new technology needs to be educated on how to securely deploy new systems. And if you are installing support software from outside vendors, make sure you thoroughly review their products' security features. Also, make sure they fully disclose any known bugs or improperly functioning features.
Original URL (The Web version of the article)